"We Only Use De-Identified Data" — Why That Claim Is Almost Always Wrong
"We only use de-identified data" gets thrown around a lot in ad tech. And it's almost always wrong. Here's why.
There are two very different meanings of de-identified. Confusing them is where a lot of privacy risk comes from.
De-Identified Under HIPAA
HIPAA was built for clinical data flows.
Remove direct identifiers. Reduce re-identification risk. Have an expert determine the data is unlikely to re-identify a patient.
That analysis can be rigorous.
But HIPAA mostly evaluates data at a moment in time and largely in isolation.
De-Identified Under State Privacy Laws
State privacy laws were written for the ad tech ecosystem.
They ask a different question.
Not just "what fields are present?" But "what can this data do once it starts moving?"
They care about linkability.
Can this data be associated with a person, device, or household?
Where Things Fall Apart
In advertising, data is valuable because it gets linked.
The moment data is connected to an identity spine, you've enabled identification.
Maybe not a name. Maybe not an address.
But a device. A household. An IP address.
In ad tech, that is identity.
So saying "this data is de-identified" while also designing it for activation is a contradiction.
The Takeaway
HIPAA de-identified means low risk in isolation.
State-law de-identified means no reasonable way to associate data with a person in the real advertising world.
Those are not the same thing.
And a lot of "privacy-safe" claims quietly rely on pretending they are.
Want to Learn More?
At Blueprint Audiences, we build healthcare audiences without relying on individual-level health inferences or linkable identifiers. Our approach is designed for the state privacy law landscape—not just HIPAA.
Connect with me on LinkedIn to discuss how your marketing strategy can adapt to today's privacy requirements—or contact us to learn more about Blueprint's privacy-first approach.